Critical Vulnerability in Zimbra Webmail under Active Exploitation (CVE-2025-68645)

Executive Summary

On January 23, CISA updated their Known Exploited Vulnerability (KEV) catalog with a critical Local File Inclusion (LFI) vulnerability in Zimbra Collaboration (ZCS). This vulnerability, tracked as CVE-2025-68645 and originally reported on December 22^nd, allows unauthenticated remote attackers to include arbitrary files from the WebRoot directory by crafting malicious requests to an endpoint in the RestFilter servlet. This can potentially leak enough information to breach the targeted server and provide threat actors initial access into an organizations network.

A public proof-of-concept (PoCs) exploit is available in GitHub, and the inclusion in CISA’s KEV confirms active exploitation in real-world cyberattacks. Beazley Security Labs highly recommends users adopt the patch immediately.

Affected Systems and Products

Product	Affected Versions	Fixed Version
Zimbra Collaboration (ZCS)	10.0–10.0.17 & 10.1.0–10.1.12	10.0.18 & 10.1.13

Patches

‍
Patches are available through Zimbra’s Patch Document which provides step-by-step installation instructions tailored to each supported version.

For 10.0.x instructions follow - 10.0.x Patch Installation

For 10.1.x instructions follow - 10.1.x Patch Installation

Technical Details

There is a public proof-of-concept exploit available on GitHub. That, combined with the advisories from Zimbra and NIST describe a Local File Inclusion (LFI) vulnerability in the /h/rest endpoint of the RestFilter servlet in the Webmail Classic UI.

LFI vulnerabilities are a common bug class and in general allow remote attackers to manipulate local files on a target machine. If exploited, CVE-2025-68645 appears to allow exposure of files from the WebRoot directory, which often contains sensitive configuration information. This information could then be leveraged by an attacker to further compromise the system or exfiltrate additional sensitive data.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team